Healthcare organizations should expect data breaches

A data breach for healthcare organizations is very likely.

In fact, according to Check Point Research, healthcare organizations experienced 1,426 attacks per week in 2022. Healthcare data (or PHI) is far more valuable in a market exchange than other types of personal data. Healthcare organizations as an industry are most likely to pay the ransom, ranking first with 61% of organizations paying ransom to get encrypted data back, according to Sophos, a cybersecurity provider. Savvy cybercriminals understand the value of personal health data, which can range from $10 to $1,000 per record in online marketplaces, depending on completeness. Additionally, most healthcare organizations have a continuous stream of new employees, resulting in consistently new targets to manipulate.

Cybercriminals are also aware that most healthcare organizations’ systems are interconnected. In this regard, if one system is more vulnerable than another, criminals can attack the more vulnerable system to gain access to other systems with more valuable data.

Vendors are also an easy entry point for cybercriminals. Not all vendors maintain the same level of cyber hygiene. A vendor with less mature cybersecurity infrastructure may be susceptible to a cyberattack and coincidently make the data's owner (the health plan, provider, etc.) vulnerable to a HIPAA breach.

The threat landscape is continually evolving. Some 50% of US firms reportedly were breached by ransomware in 2022, and nearly 35% of these firms paid the ransom to release their data. Making this statistic even more alarming: only about 70% of victims who paid regained access to their data.

Ransomware has evolved into a “double extortion” – attackers extract sensitive information (sometimes for months) before encrypting files; if the victim hesitates to pay, the hackers release some of the stolen data publicly and threaten to post the remainder.

Healthcare provides a large attack surface for criminals to exploit. In general, there are four key paths for exploitation:

  • Stolen credentials
  • Phishing attacks
  • Exploited vulnerabilities
  • Use of botnets

According to the 2022 “Verizon Data Breach Investigations Report” ransomware has continued its upward trend, representing approximately 25% of total breaches. Supply chains were the targets of 62% of system intrusion incidents. Separately, the healthcare industry was the most common victim of attacks caused by third parties, accounting for 33% of incidents in 2021.

The Verizon report noted 82% of these breaches were due to human error. Whether it’s the use of stolen credentials, phishing or simply due to an error, people continue to play a very large role in incidents and breaches.

Leaders of healthcare organizations need to be aware that we’re living in a time when healthcare organizations are no longer preparing to respond to a cyberattack but instead preparing to prevent an attack. The unfortunate reality is that a healthcare organization will likely be attacked or experience a security incident. Understanding this environment is key and assuring that data controls are adequate is critical.

Contact our Mazars healthcare team today to discuss becoming HITRUST certified.

The information provided here is for general guidance only, and does not constitute the provision of tax advice, accounting services, investment advice, legal advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisers.